Anomaly detection is the search for items or events which do not conform to an expected pattern. The detected patterns are called anomalies and translate to critical and actionable information in several application domains.
There are different categories of anomaly detection including unsupervised and supervised anomaly detectors. Unsupervised anomaly detection techniques detect anomalies in an unlabeled test data set under the assumption that the majority of the instances in the data set are normal by looking for instances that seem to fit least to the remainder of the data set. Supervised anomaly detection techniques require a data set that has been labeled as “normal” and “abnormal” and involves training a classifier.
Anomaly detection is applicable in a variety of domains, such as intrusion detection, fraud detection, fault detection, event detection in sensor networks, etc. Nonetheless, a particular type of intrusion detection has remained problematic. More specifically, a zero-day attack or threat is an attack that exploits a previously unknown vulnerability in a computer application. Zero-day attacks are used or shared by attackers before the developer of the target software knows about the vulnerability. As such, they can be very difficult to defend against.